Openid Connect Php

Minimalist OpenID Connect client
Alternatives To Openid Connect Php
Project NameStarsDownloadsRepos Using ThisPackages Using ThisMost Recent CommitTotal ReleasesLatest ReleaseOpen IssuesLicenseLanguage
Dex8,455222 days ago66March 22, 2022406apache-2.0Go
OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors
Wechat Php Sdk4,430317 months ago1March 15, 2015155PHP
微信公众平台php开发包, weixin developer SDK.
Fosite2,145508812 days ago280December 07, 202239apache-2.0Go
Extensible security first OAuth 2.0 and OpenID Connect SDK for Go.
React Native App Auth1,80015122 days ago48November 23, 2022133mitJava
React native bridge for AppAuth - an SDK for communicating with OAuth2 providers
Node Openid Client1,60727547411 hours ago175July 06, 2023mitJavaScript
OpenID Certified™ Relying Party (OpenID Connect/OAuth 2.0 Client) implementation for Node.js.
Kubelogin1,326221 days ago113June 24, 202378apache-2.0Go
kubectl plugin for Kubernetes OpenID Connect authentication (kubectl oidc-login)
Angular Auth Oidc Client1,0503913a day ago172August 27, 2023128mitTypeScript
npm package for OpenID Connect, OAuth Code Flow with PKCE, Refresh tokens, Implicit Flow
Jso829343 years ago10August 13, 201842otherJavaScript
Easy to use OAuth 2.0 javascript library for use in your javascript application.
Openid Connect Php5152362 months ago20September 30, 202283apache-2.0PHP
Minimalist OpenID Connect client
13 days ago5mitC#
Different ASP.NET Core applications using OpenID Connect Hybrid flow Code Flow, Code Flow with PKCE, JWT APIs, MFA examples
Alternatives To Openid Connect Php
Select To Compare

Alternative Project Comparisons

PHP OpenID Connect Basic Client

A simple library that allows an application to authenticate a user through the basic OpenID Connect flow. This library hopes to encourage OpenID Connect use by making it simple enough for a developer with little knowledge of the OpenID Connect protocol to set up authentication.

A special thanks goes to Justin Richer and Amanda Anganes for their help and support of the protocol.


  1. PHP 5.4 or greater
  2. CURL extension
  3. JSON extension


  1. Install library using composer
composer require jumbojett/openid-connect-php
  1. Include composer autoloader
require __DIR__ . '/vendor/autoload.php';

Example 1: Basic Client

use Jumbojett\OpenIDConnectClient;

$oidc = new OpenIDConnectClient('',
$name = $oidc->requestUserInfo('given_name');

See openid spec for available user attributes

Example 2: Dynamic Registration

use Jumbojett\OpenIDConnectClient;

$oidc = new OpenIDConnectClient("");

$client_id = $oidc->getClientID();
$client_secret = $oidc->getClientSecret();

// Be sure to add logic to store the client id and client secret

Example 3: Network and Security

// Configure a proxy

// Configure a cert

Example 4: Request Client Credentials Token

use Jumbojett\OpenIDConnectClient;

$oidc = new OpenIDConnectClient('',

// this assumes success (to validate check if the access_token property is there and a valid JWT) :
$clientCredentialsToken = $oidc->requestClientCredentialsToken()->access_token;

Example 5: Request Resource Owners Token (with client auth)

use Jumbojett\OpenIDConnectClient;

$oidc = new OpenIDConnectClient('',

//Add username and password

//Perform the auth and return the token (to validate check if the access_token property is there and a valid JWT) :
$token = $oidc->requestResourceOwnerToken(TRUE)->access_token;

Example 6: Basic client for implicit flow e.g. with Azure AD B2C (see

use Jumbojett\OpenIDConnectClient;

$oidc = new OpenIDConnectClient('',
$oidc->addAuthParam(array('response_mode' => 'form_post'));
$sub = $oidc->getVerifiedClaims('sub');

Example 7: Introspection of an access token (see

use Jumbojett\OpenIDConnectClient;

$oidc = new OpenIDConnectClient('',
$data = $oidc->introspectToken('');
if (!$data->active) {
    // the token is no longer usable

Example 8: PKCE Client

use Jumbojett\OpenIDConnectClient;

$oidc = new OpenIDConnectClient('',
$name = $oidc->requestUserInfo('given_name');

Example 9: Back-channel logout

Back-channel authentication assumes you can end a session on the server side on behalf of the user (without relying on their browser). The request is a POST from the OP direct to your RP. In this way, the use of this library can ensure your RP performs 'single sign out' for the user even if they didn't have your RP open in a browser or other device, but still had an active session there.

Either the sid or the sub may be accessible from the logout token sent from the OP. You can use either getSidFromBackChannel() or getSubjectFromBackChannel() to retrieve them if it is helpful to match them to a session in order to destroy it.

The below ensures the use of this library to ensure validation of the back-channel logout token, but is afterward just a hypothetical way of finding such a session and destroying it. Adjust it to the needs of your RP.

function handleLogout() {
    // NOTE: assumes that $this->oidc is an instance of OpenIDConnectClient()
    if ($this->oidc->verifyLogoutToken()) {
        $sid = $this->oidc->getSidFromBackChannel();

        if (isset($sid)) {
            // Somehow find the session based on the $sid and
            // destroy it. This depends on your RP's design,
            // there is nothing in the OIDC spec to mandate how.
            // In this example, we find a Redis key, which was
            // previously stored using the sid we obtained from
            // the access token after login.
            // The value of the Redis key is that of the user's
            // session ID specific to this hypothetical RP app.
            // We then switch to that session and destroy it.
            $this->redis->connect('', 6379);
            $session_id_to_destroy = $this->redis->get($sid);
            if ($session_id_to_destroy) {
                session_id($session_id_to_destroy); // switches to that session
                $_SESSION = array(); // effectively ends the session

Example 10: Enable Token Endpoint Auth Methods

By default, only client_secret_basic is enabled on client side which was the only supported for a long time. Recently client_secret_jwt and private_key_jwt have been added, but they remain disabled until explicitly enabled.

use Jumbojett\OpenIDConnectClient;

$oidc = new OpenIDConnectClient('',
# enable 'client_secret_basic' and 'client_secret_jwt'                                
$oidc->setTokenEndpointAuthMethodsSupported(['client_secret_basic', 'client_secret_jwt']);

# for 'private_key_jwt' in addition also the generator function has to be set.
$oidc->setPrivateKeyJwtGenerator(function(string $token_endpoint) {
    # TODO: what ever is necessary

Development Environments

In some cases you may need to disable SSL security on your development systems. Note: This is not recommended on production systems.


Also, your local system might not support HTTPS, so you might disable upgrading to it:



  • Dynamic registration does not support registration auth tokens and endpoints


  • All pull requests, once merged, should be added to the file.
Popular Openid Projects
Popular Token Projects
Popular Security Categories
Related Searches

Get A Weekly Email With Trending Projects For These Categories
No Spam. Unsubscribe easily at any time.
Openid Connect